NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

Trailrunner7 writes In a new article in an academic math journal, the NSA's director of research says that the agency's decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a "regrettable" choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. "With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable," Wertheimer wrote in a piece in Notices' February issue.

Wait, which part is he sorry about now?

[Narcocide]

Is he sorry that they created a monster or is he just sorry that they got caught and now their credibility is in the trash can?

Re:Wait, which part is he sorry about now?

The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?

Re:Wait, which part is he sorry about now?

As long as these NSA jokers eat their own shitty dogfood I have no problem with their algorithms. Use the hell outta them. Suffer the consequences. Learn what "regrettable" really means before fucking off and dying a protracted, painful death.

Re:Wait, which part is he sorry about now?

[swillden]

Is he sorry that they created a monster or is he just sorry that they got caught and now their credibility is in the trash can?

He's sorry that they continued supporting it after the flaws were discovered. He regrets that they were so obvious.

Re:Wait, which part is he sorry about now?

[johnsnails]

This is both +5 Insightful and -1 Redundant simultaneously.

Re:Wait, which part is he sorry about now?

[penguinoid]

"Words cannot express how sorry we are. Next time, we will make sure the backdoor is much less obvious."

Re:Wait, which part is he sorry about now?

[rtb61]

Worse than they, they had intended to use the power they control to attempt to force the use of it. The real question is how long before other people discovered the flaw were they aware of it and was it the only reason they supported it in the first place. This makes far more sense when you consider they still pushed it once the flaw was discovered, they were already heavily invested in pushing it onto the public exactly because of that flaw, they wanted that flaw. So who originated the work and thus who can not now be trusted as they are very likely an under cover NSA agent. Which brings to the point how many others are out there, how many others are working to break your security, how many others are out there working on entrapment and extortion plans and how many others can not be trusted to touch your hardware because they will touch it in a very naughty way.

Brings to mind the penalties private corporations have been paying when they have failed to secure the privacy of the public, how many of those were as a direct result of an incursion led by the NSA and basically leaving holes which others have then exploited. Just like the FBI and Lulzsec, most of the damage was done after the FBI took over and were seeking to groom minors into a life of crime, supply the resource, the technology and the targets, so they could what prosecute them or recruit them or as it seems most likely, both.

The NSA and the FBI and all the rest are going to run into the exact same problem, they are going to end up recruiting privacy invasive perverts who get a kick out of invading the private lives of others, creating that perverted delusion of control over others and that will inevitably reflect upon how the agencies carry out their activities. How the individuals within them will get a sexual kick about invading the privacy of others and how given time that kick will demand greater and greater control and express itself as schemes of extortion, whether to break into other secure data stores, whether to profit or whether to extend that sexual perversion into direct personal molestation.

Re:Wait, which part is he sorry about now?

[Narcocide]

No, its not because I was first post. All the others are redundant.

Re:Wait, which part is he sorry about now?

that whooshing sound is the sound of it still being so obvious it counts as redundant despite being first post.

Re:Wait, which part is he sorry about now?

[johnsnails]

Yup that is what I was referring too!

But don't get me wrong, I am with you(Narcocide) on the +5 Insightful! I more just meant the cynicism we hold for NSA is such that we assume that when they appologise, its for getting caught not for doing wrong.

Re:Wait, which part is he sorry about now?

[Narcocide]

No, I think you both still miss the point. I was "first post" before this article, Snowden, or anyone else. I was saying this was happening before even Slashdot's founding. I simply guessed it, well over a decade ago by following the money. Only then I wasn't rated "+5 Insightful" I was rated by my peers as "-5 crazy for saying the emperor is naked."

Re:Wait, which part is he sorry about now?

[BenJeremy]

The later, obviously. And "I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable" What about "criminal"?

I think the proper word is "Treasonous"

In the DoD, the NSA-backed algorithms have been used without question, and in creating a backdoor'd generator, they've compromised our national security.

Re:Wait, which part is he sorry about now?

[johnsnails]

In that case, Kudos to you!

Re:Wait, which part is he sorry about now?

[pitchpipe]

No, I think you both still miss the point. I was "first post" before this article, Snowden, or anyone else. I was saying this was happening before even Slashdot's founding. I simply guessed it, well over a decade ago by following the money. Only then I wasn't rated "+5 Insightful" I was rated by my peers as "-5 crazy for saying the emperor is naked."

Will the real first post please stand up.

Re:Wait, which part is he sorry about now?

They got it added to NIST. So it's essentially a REQUIREMENT for many Federal agencies (and whoever else wants to follow suit) to implement this!!!!!

Even after it was found, it was still technically the rule to use it. So it was a legally enforced backdoor on the government, which was published for years in learned circles (http://en.wikipedia.org/wiki/Dual_EC_DRBG).

I think your comment and your choice of word "Treasonous" are absolutely spot on...

We truly live in a world of unaccountability. This is by far, in my opinion, the biggest problem in our society.

Re:Wait, which part is he sorry about now?

[davester666]

"Words cannot express how sorry we are. The next time, we made sure the backdoor was much less obvious"

FTFY

Re:Wait, which part is he sorry about now?

[K.+S.+Kyosuke]

I thought that Type 1 products were mandated for the secret stuff? These things tend to be either proprietary or well-tested (not cutting-edge). I'm not sure if national-security-relevant information is allowed to get stored using recent and publicly known encryption.

Re:Wait, which part is he sorry about now?

[strack]

What hes actually saying is he thinks mathematicians and programmers are stupid enough that he believes its worth his time to bullshit us in writing after the NSA got caught with its hand in the cookie jar . Hes insulting our intelligence. Hes showing us his gaping asshole, telling us its not actually shit, and inviting us to take another sniff.

Re:Wait, which part is he sorry about now?

[AmiMoJo]

It's worse than that. The NSA is demonstrating how incredibly arrogant it is. The apology is for not dropping support once the flaws become public knowledge. The implicit assumption is that it was secure before the flaw was made public, which shows how little the NSA thinks of foreign intelligence agencies. Clearly there was no way one of them could have found it and been exploiting it for years.

Re:Wait, which part is he sorry about now?

[barbariccow]

They got it added to NIST. So it's essentially a REQUIREMENT for many Federal agencies (and whoever else wants to follow suit) to implement this!!!!!

That's not true anymore. NIST removed that recommendation. They now only recommend aes128 192 or 256.

Re:Wait, which part is he sorry about now?

We truly live in a world of unaccountability. This is by far, in my opinion, the biggest problem in our society.

Hold on. We, the people, are wholly accountable. Did you take a risk that failed? Has something gone wrong that could possibly be linked to your negligence? Welcome to years of court appointments, wherein we determine exactly how accountable you are.

Our betters, in the upper echelons of government and industry, are immune to such scrutiny. And rightly so! It might interfere with their oh-so-important jobs of protecting us sheep from being crushed by a falling sky. Just think what the terrorists would do to you if our masters didn't have extraordinary powers to shepherd us mundanes. Shame on you for doubting their omnipotence.

Re:Wait, which part is he sorry about now?

This is the very word I was thinking of as well.

Re:Wait, which part is he sorry about now?

[Required+Snark]

Treason is not the correct term. It refers to betrayal of country.

In law, treason is the crime that covers some of the more extreme acts against one's sovereign or nation. Historically, treason also covered the murder of specific social superiors, such as the murder of a husband by his wife or that of a master by his servant.

The correct term is Sedition.

In law, sedition is overt conduct, such as speech and organization, that is deemed by the legal authority to tend toward insurrection against the established order. Sedition often includes subversion of a constitution and incitement of discontent (or resistance) to lawful authority. Sedition may include any commotion, though not aimed at direct and open violence against the laws. Seditious words in writing are seditious libel. A seditionist is one who engages in or promotes the interests of sedition.

Note the boldface. In this case the "established order" is the rule of law enshrined in the constitution. The NSA has subverted the constitution with warrantless mass surveillance. The Department of Homeland Security (aka Department of Homeland Pork) has ignored the constitutional right to due process with the "no fly list": there is no official way to find out if you are on it or to be removed from the list.

These actions, along with many current policies, are absolutely unconstitutional. In short, sedition. They betray the constitutional rule of law. Treason typically is the betrayal of one's country to another sovereign entity.

our failure to drop support

[zlives]

"describe our failure to drop support for the Dual_EC_DRBG algorithm" = as designed

regrettable...

...that they got caught, he means.

That's why we gave EMC money

To ensure it's inclusion as default in RSA products.

Re:That's why we gave EMC money

[Smallpond]

To ensure it's inclusion as default in RSA products.

Yup. $10M to use it as the default encryption mode. They also tried to require it for FIPS certification so pardon my gasps of disbelief.

Re:That's why we gave EMC money

They also tried to require it for FIPS certification so pardon my gasps of disbelief.

Makes you think that "FIPS Certification" really == DoD back-doors.

I guess from their perspective that really does make such software "safer" - or at least safer for the DoD's budgets when such software is used by competitors for DoD funding.

Re:That's why we gave EMC money

I guess from their perspective that really does make such software "safer"

I always wonder why the NSA/CIA, etc think that it's ok if they have backdoor keys into encryption when it's pretty obvious that that backdoor will leak eventually and be used by criminal or terrorist actors. Maybe that's the point -- if the NSA can keep everyone frightened then they can continue with the program.
But they must realize that it really makes everyone less secure in the long run.

maybe that's what this article is about -- they realize their cover is blown and their goals are obviously exposed now

Re:That's why we gave EMC money

The reason this back door was acceptable to them was they essentially convinced the world to use their public key as the standard seed for the algorithm. It's like putting your account information on random deposit slips at the bank. It's not the sort of "hack" that compromises your own security as long as your "private key" remains secret.

Contrast this with DES/AES, where they have fought to make the algorithms more secure. Not because they want what's best for everyone, but because those vulnerabilities were something that an adverse nation state could potentially independently discover where they didn't have an exclusive ability to exploit the weakness.

Now their intentions are clear: they aren't enlightened good guys. They're just pragmatic attackers. An exploit that is just as likely to benefit China or Russia is worse than no exploit at all. An exploit that only they can benefit from is golden. At least now we know where to look when doing our code audits.

Re:That's why we gave EMC money

Even their work to strengthen the S-boxes in DES were counterbalanced by their attempt (and qualified success) at weakening it to brute force attacks. What was the motivation behind this?

NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.

DOCID 3417193

Re:That's why we gave EMC money

[edtice1559]

Wanting to include this in FIPS seems to also who an incredibly level of incompetence. Imagine the NSA forcing a backdoor into the crypto algorithm only to have an adversary take advantage of it to have an backdoor into the US government. It's possible that there was a parallel plot to turn this off on every FIPS certified device purchased by US government agencies but given the level of competence that can be found in the bureaucracy it's likely that the whole thing would have backfired. The NSA is lucky that they failed here. What's "regrettable" is that they didn't think things through before even trying something so ridiculous.

other descriptions...

[pixelpusher220]

criminal? fraudulent? subversive?

Re:other descriptions...

how about "works as intended"

Sorry they got caught.

They're sorry they got caught, and only that because of how much harder it will make pulling the same thing again in the future.

oh yeah?

since noone cared, what is a blackout in DC to a rumoured TERRORIST act?

Why is it regrettable?

[DoofusOfDeath]

I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?

Also, "is regrettable" is basically the passive tense. Does he regret it? Does he thing that the congressional oversight committees are morally culpable for not having stopped it?

Re:Why is it regrettable?

He regrets it because if they dropped support sooner their actions might have remained unknown to the peasantry.

Re:Why is it regrettable?

There is no such thing as "passive tense".

Re:Why is it regrettable?

Yeessss... let the Microsoft grammar checker flow through you...

Re:Why is it regrettable?

[rwyoder]

I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?

Also, "is regrettable" is basically the passive tense. Does he regret it? Does he thing that the congressional oversight committees are morally culpable for not having stopped it?

Here is the video: https://www.youtube.com/watch?...

Re:Why is it regrettable?

[pitchpipe]

I'd like to hear him explain his regret in a little more detail. Was it morally wrong? Was it against civil ethics? Was it anti-democratic? Was it illegal? Or was it that they got caught?

He regrets it like he regrets eating that hot chili cheese burrito.

Re:Why is it regrettable?

[K.+S.+Kyosuke]

Also, "is regrettable" is basically the passive tense.

At best it's deagentization. Syntax-wise, I don't see anything passive about copulative sentences.

Re:Why is it regrettable?

[phantomfive]

You can read what he wrote, it's linked to in the article. Earlier in the article he has an explanation of why the backdoor was left in, that it wasn't an attempt to subvert encryption of the world.

With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise.

No admission of guilt

Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.

Re:No admission of guilt

[DoofusOfDeath]

I wonder if it would have been a security violation for him to admit it, so this is the best he can do?

Re:No admission of guilt

This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.

Man, I've hated those apologies since I was a child.

Re:No admission of guilt

I doubt that it's a policy issue. If it were, he would say nothing at all. Why does he think his personal opinions about NSA security should be public?
His faux concern would be better used to have stopped them from making a poor encryption system at all. Who knows what else they are doing the same way now?

Re:No admission of guilt

This is almost certainly the case... everything but the public policy aspects of the NSA supporting this standard are highly classified, so nothing can be said.
even if there is a leak, and everybody know what is going on.... it is still a felony to personally divulge/confirm, comment on, or add to any of this.

Re:No admission of guilt

[stoborrobots]

He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

It's entirely possible that they did not engineer the backdoor - that might have come from the original creator.

It's further possible (although I would hope it's not the case) that they did not find the backdoor before it was publicly disclosed.

Either way, they should have stopped endorsing the algorithm as soon as they knew it was weak, whether that was at public disclosure or earlier.

That they continued to claim it was secure after it was publicly known to be weak is a complete failure on their part, and they are DEFINITELY culpable for that.

We BELIEVE that they probably put it there, in which case, they're even more culpable, but we don't know that for certain...

Re:No admission of guilt

[gnasher719]

Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.

And you don't understand what actually happened. There is no evidence and there never was evidence that the algorithm had a backdoor. There is evidence that _if_ the NSA had known about the possibility of a backdoor early enough, they _could_ have added a backdoor. There is no evidence that they knew about it early enough, and there is no evidence that they added a backdoor. The NSA _does_ know that nobody else added a backdoor. So they either added a backdoor, or they didn't and know there is no backdoor. There is no evidence either way.

So nobody has any evidence that they have done anything wrong. They supported this standard for too long, and there are two logical explanations for this: Either because they had added a backdoor and wanted to use it, or because they knew for a fact that there is no backdoor (because only the NSA could have added it and they know they didn't) and therefore knew that the algorithm was safe.

Re:No admission of guilt

[Agripa]

There is no need to wait for non-circumstantial evidence. The government likes to use lessor evidence standards than beyond a reasonable doubt so lets follow their example.

What is more likely than not? That the NSA missed a public/private key based backdoor designed into an algorithm, strongely supported it after it was revealed that such existed, and bribed RSA over it? Or that NSA designed it in from the start and through a fit of managerial incompetence, trashed any trust they had accumulated with non-government institutions?

he SAID "after it was discovered"

[raymorris]

He said:

  NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor.

Re:he SAID "after it was discovered"

[msauve]

IOW, he wants the perception to be that they wouldn't do the same again. Because, it's lowered their credibility. That doesn't mean they wouldn't do the same thing again, they just want you to think they wouldn't.

("Please don't look for more holes in stuff we support. Ignore the man behind the curtain. We're from the government, and we're here to help.")

Re:he SAID "after it was discovered"

[Euler]

Exactly. This is not an apology. I read TFA. Somehow, they want to put the horse back in the barn. There was a time that they had a mission to develop technology that was useful to US government agencies, industry, banking interests, etc. I truly respect people who were doing honest work at securing US interests. But there is just no going back, all that work is forever tainted.

Interesting wording

[Excelcia]

I find it very interesting the wording. They think that they should have "ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor" and that their failure to do so was regrettable. What about their helping to develop the algo with a back door to begin with?

They are essentially coming out and admitting they are sorry that they didn't drop support, because if they had dropped support at least they would have been able to cover up the fact they intentionally create algorithms with flaws to begin with.

Re:Interesting wording

[AHuxley]

It was regrettable security researchers, brands, firms, academics and other experts failed to find, did not look, did not ask, did not consider, did not want to understand, where not interested or collaborated in placing so many trap doors and backdoors in international crypto standards over the years.
Just getting weak crypto created and set as a standard is the first part. Keeping it as a standard for some time was the real trick. At lot of smart people and top brands had to stay tame and look the other way on that aspect over the years.
The good news is people can just move back to number stations and only use one time pads once.
The intentionally create algorithms seemed to go back to the 1950's as the Martin and Mitchell defection hinted in the early 1960's
https://en.wikipedia.org/wiki/...
"Our main dissatisfaction concerned some of the practices the United States uses in gathering intelligence information ... deliberately violating the airspace of other nations ... intercepting and deciphering the secret communications of its own allies ..."

Re:Interesting wording

Elliptic curve cryptography is still considered a sound methodology. At the time NSA supported the specific algorithm, security experts expected this to be better security. It was not suspect from the beginning. It took several months before anyone had an issue, and that was only theoretical. By 2007, it was clear something was amiss, yet no proof of the backdoor had been produced. After the Snowden leaks, it strong circumstantial evidence points to the NSA having purposefully placed a backdoor in the algorithm. The NSA has an Information Assurance mission to prevent foreign adversaries from gaining access to sensitive information. In this role, they provide standards for the US which are typically adopted by NIST. If the NSA is publishing intentionally weak standards to NIST, they are violating part of their explicit mission.

The president and Congress should take action against such things. This is a far cry from when the NSA once provided modifications to algorithms that would later be proven to increase security (see DES and substitution tables).

Nothing out of the ordinary here:

Criminals who get caught see their actions as regrettable. Criminals who don't get caught have no regrets.

The NSA has nothing to regret.

[fustakrakich]

Nothing happened. The spying continues as if nobody said a thing. It had no effect on the election, and it won't have any effect in the next one. Whatever the NSA does from here on out cannot be blamed on anybody but the voters. It's extremely simple.

Re:The NSA has nothing to regret.

[Slashjones]

It isn't even just a case of voters ignoring the issue; countless people directly support the unconstitutional freedom-violating mass surveillance. So yeah, it's definitely the fault of voters, and a lot of them love it.

Re:The NSA has nothing to regret.

[fustakrakich]

Yes, I did fail to bring up the fact that most people want this. We truly do have a very representative government in the US.

Re:The NSA has nothing to regret.

[cascadingstylesheet]

Nothing happened. The spying continues as if nobody said a thing. It had no effect on the election, and it won't have any effect in the next one. Whatever the NSA does from here on out cannot be blamed on anybody but the voters. It's extremely simple.

Wow, you mean we get to vote for the chief executive, who is the boss of executive agencies like the NSA?

That's good to know. I wonder who most of those complaining about the NSA supported and opposed the last time they had the chance?

Re:The NSA has nothing to regret.

Probably someone who supported the NSA and other freedom-violating policies (TSA, Patriot Act, etc.). Scumbags from The One Party have no interesting in changing any of this, so voting for them is voting for evil, meaning you (whoever votes for them) are supporting their evil.

Everybody regrets getting caught

[DarkOx]

With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor

So really he regrets they got caught trying to insert a backdoor and wishes they would have handled the after math of being busting in a way that might have won back some undeserved trust, but he does not regret attempting back door the algorithm in the first. I read this as "would do it again".

Yeah, bullshit

More like "the fact that we got caught providing the cleverly backdoored code is regrettable."

Only "regrettable"...

...after they were called on it. So much for veracity.

That's not an apology.

[steelfood]

That's no apology, it's that's just expressing regret.

If they really wanted to apologize, they should be apologizing for subverting the standards process in the first place. Both RSA's and NIST's credibility are in the crapper thanks to them, though it's admittedly RSA's own fault for taking the $10 million.

But there's no point in apologizing to the crypto community or even to any subset of it. This behavior by the NSA was almost expected, and it would be stupid to not believe it given all the pre-Snowden evidence. In fact, it validates a lot of people's conclusion that funny-looking and funny-smelling things should generally be avoided.

Re:That's not an apology.

it validates a lot of people's conclusion that funny-looking and funny-smelling things should generally be avoided.

You mean like how AES is a curiously simplistic untested algorithm that somehow got standardized?

Re:That's not an apology.

It's not even expressing regret. It's regrettable, that is the action is something that may cause regret, not that he or the NSA actually does.

Re:That's not an apology.

AES is neither curiously simplistic nor untested. It didn't just "somehow" get standardized, it was developed by well-known cryptographers in an open process involving several competing algorithms. It's selection from amongst the competitors was for well-documented reasons. As someone entirely uninvolved in the process, just reading about it on the net, before the selection I actually made a bet that Rijndael would be selected as AES.

Additionally, the problem with this PRNG isn't so much the algorithm (which seems ok) but certain constants which were specified without any explanation of how they were chosen. It is known that if one were to construct the constants in a certain way, the one who knows how the constants were chosen could predict the random number stream in computationally feasible ways.

Fuck you, Mike!

It was "regrettable" that, after the whole community cast aspersions at your intentionally-broken algorithm, you didn't drop your own support for it? Go eat a fucking dick.

What you should have done, instead of "dropping your support", was come clean and say "sorry guys, that was a shitty thing to do and we should not have done it. This algorithm was in fact sabotaged by us and it should never be used for anything other than a case study for cryptographers learning to detect shitty things like this being done to algorithms in plain sight. We ought to using better tools to catch bad guys rather than intentionally breaking encryption for everyone."

Asshole. Dual-use technologies work both ways, smarty-pants: if you break the algorithm, it's broken for the good guys, too, and the bad guys pwn everyone who thinks they are safe.

Seriously, fuck you.

Re:Fuck you, Mike!

[Narcocide]

My sentiments exactly. This post deserves to be heard. It deserves more than a 0 score.

Re:Fuck you, Mike!

If he was truly sincere and honorable, he would resign.

Re:Fuck you, Mike!

Well said. The asshole isn't even apologizing. He's just saying it was regrettable they still pushed it after people suspected it was dodgy. Yeah, that is pretty stupid and regrettable. They should have tried one that no one suspected...if they're going to be a bunch of sociopathic assholes.

Re:Fuck you, Mike!

We need a hall of fame for Slashdot postings. Pretty awesome post !!

Re:Fuck you, Mike!

[houghi]

I fucked him. Now what?

Re:Fuck you, Mike!

[SparkleMotion88]

Dual-use technologies work both ways, smarty-pants: if you break the algorithm, it's broken for the good guys, too, and the bad guys pwn everyone who thinks they are safe.

The cleverness of Dual_EC_DRBG is that it really is broken in a limited way. It produces numbers that are random to everyone who doesn't know the seed or a particular private key, which we assume only the NSA has. It's just as secure as using any "good" random number generator and then sending the seed to the NSA using public key encryption.

Failure of imagination

[tentative]

"I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable." Allow me to help: indecent, dangerous, immoral, short sighted, borderline criminal.

Re:Failure of imagination

[Narcocide]

I would go so far as to say its basically theft, since in doing this (along with so many similar actions) they've basically done the exact opposite of the task to which they were assigned when we handed over our tax dollars to fund them.

Re:Failure of imagination

Can we stop saying things are "basically theft"? You could, if you were inclined, call this a misappropriation of public funds. You could not call it larceny. You could also not call it copyright infringement nor theft of services. All of those things could be theft though; the term is uselessly vague except to draw a reaction from the simple minded.

You're a waste of oxygen. Because there's only a finite amount of breathable air on this planet, that's basically theft.

Re:Failure of imagination

Piss off.

A gross misappropriation of a lot of public money for a use completely at odds with what it was for, is theft. In much the same way as buying a car on government dime for use by your daughter's bf would be.

Also, there isn't a finite amount of breathable air.

As a mathematician...

[wickerprints]

I find Werthiemer's characterization of this gross oversight to be..."regrettable."

Let's remind the reader and put the role of NSA mathematicians in context: In the world of mathematical research, what the NSA knows is by construction a superset of what the academic community knows. That is to say, NSA researchers have at their disposal the body of all published mathematical literature, in addition to any discoveries they have made internally, whereas non-NSA mathematicians do not have access to the latter. If a flaw in a commonly used cryptographic scheme is discovered by the NSA but is unknown in the public arena, this immediately leads to an exploitable situation.

Thus, when outside researchers discover an issue, this tells us NOTHING about if or when the NSA knew about the same flaw. It also means nothing for NSA mathematicians to apologize or write in public correspondence what their version of events was. Their lack of credibility does not stem from the existence of such flaws; no. Neither does it necessarily follow from the lies they have told in other respects. On this point I must be completely clear. Their lack of credibility stems from the aforementioned and inherent information asymmetry. To attempt to infer the sincerity of the message based on indirect evidence, past behavior, and allusions to glorious historical efforts is to be misled from the fundamental reality, which is that the NSA and its mathematicians are under no obligation to tell the truth because they undoubtedly possess mathematical secrets that the public does not.

That said, I am gratified that many preeminent mathematicians working in the fields of number theory, cryptography, algebra, combinatorial analysis, and cryptanalysis do not choose to work for the NSA and instead remain in the academic community, on the premise that the advancement of humankind necessitates the openness of the process of discovery and the unrestricted dissemination of mathematical research.

Re:As a mathematician...

The problem here is not that the NSA "discovered" the flaw and kept quiet, but rather the appearance that they could have engineered a backdoor into the protocol that giving them a backdoor that no-one else had. NSA is claiming they didn't realize their insistence upon using a specific vector set of their choosing would give them this advantage. The Snowden revelations make that claim of ignorance very suspect given the high level of efforts at the time to infiltrate all forms of encrypted communications.

Re:As a mathematician...

> and cryptanalysis do not choose to work for the NSA

As far as you know.

Re:As a mathematician...

NO_ONE that works in cryptography should EVER publish in the US, as OFTEN, their work NEVER sees the light of day. The NSA frequently silence any publication, including your thesis, under "national security".
Anyone with half a brain publishes in places like Germany, where "other" stakeholders help neutralize US bastardry.

Re:As a mathematician...

[epine]

In the world of mathematical research, what the NSA knows is by construction a superset of what the academic community knows.

Modulo pub net (aka Brewsky's) and "unpublished communication".

But apparently you subscribe to the the maxim that the "publish or perish" edict is axiomatically tantamount to "no unpublished thought" which I find interesting, because stuffy academic writing hardly strikes me as Truman Burbank's brainstem Twitter feed.

Not that this is a subject matter where we should stray into the kind of pedantry best reserved for slicing and dicing The Recognitions or Gravity's Rainbow or Infinite Jest, which is how real geeks test their mettle.

In other news...

[l0n3s0m3phr34k]

Michael Wertheimer, the director of researcher at the National Security Agency, was found in his garage dead this morning. Medical officials say he died from auto-erotic asphyxiation. He left a suicide note saying he was "sorry for ever speaking out against my excellent employer and even death cannot undo what I have done".

I don't get it.

[mark_reh]

Why not use a real random number generator (such as avalanche noise in a semiconductor junction) to generate a key instead of a pseudorandom number generated by software that can be back-doored?

Re:I don't get it.

Speed and cost mostly.

Re:I don't get it.

Because governments have a high interest in your not having very good random number sources. Think - why is the "standard" C library random number limited for 48 bits, rather than 64? Because it is very easy to guess the next number with 48 bits, much harder with 64.

Re: I don't get it.

True random generators are not certifiable because no matter how long you run them you can never be sure that the randomness is evenly distributed. PRNGs can be tested and verified.

Re:I don't get it.

Think - why is the "standard" C library random number limited for 48 bits, rather than 64?

The standard C library's random number generator (RNG) was never designed for security applications. Even if it were increased to 64 bits, it would still be a terrible RNG to use for cryptography. It was designed to be "good enough" for things like Monte Carlo simulations and other similar math problems. Many problems require a RNG that can generate a lot of numbers very quickly, but only require the number stream to be "random enough" according to certain statistical measures. The C library is often good enough in such casts, and a cryptographic random number generator would not only be overkill, it would slow down the calculation/simulation unacceptably. In fact, I've seen papers describing GPU-accelerated RNG algorithms that generate even "worse" random number streams than the C standard library's generator, but are nevertheless useful because they can generate a whole lot of pseudo-random data very fast, and the randomness is still "good enough" for some physics applications.

Conversely, anyone who knows anything about security also knows to select a RNG that was designed to for that purpose. That's why all modern OS's include a cryptographic random API that uses a superior pseudo-random number generator in conjunction with as many sources of physical random input as are available.

Dear NSA

Who exactly are they speaking to when they try to come out all apologetic about their recent behavior ? In what universe do they think that any amount of PR or damage control at this point will restore trust in the ( or any secret ) agency ?

Because of their bullshit, NO ONE ( foreign or domestic ) trusts any part of the American Government now. There is absolutely nothing they can say ( even IF it is the absolute truth ) that will be believed. Not by Americans, and certainly not by the rest of the planet. Their bullshit antics are ->- close to destroying the American technology sector if they haven't already.

Seriously. Would YOU buy any technology based gear at this point from an American company and not wonder if the damn thing was compromised before you even unboxed it ? Would you transmit sensitive data of any kind across the Internet knowing it's going to find its way into the American Governments hands ? Hell you can't even trust the damned crypto because the idiots are actively sabotaging it. That's just fucking brilliant.

Do you understand what happens next when no one feels safe from their government ?

If not, here's a tip.

If the laws of this land are insufficient to curb what is not only blatant but arrogantly illegal behavior, perhaps we should cease relying on the laws and remind ourselves of the reasons for one of our more controversial amendments.

Re:Dear NSA

My boss would not give a rat's ass if whatever he buys is backdoored and monitered by the NSA.
Your data, his customers data, .. he does not give flying fuck. If it is profitable in short term, then he goes for it.

I would say most businesses reason the same way.

Methods and Techniques

Revealing methods and techniques whether by direct or indirect actions is an act of Treason and punishable by death.

I question the validity of the article and sources.

"Regrettable" =/= "Regretted"

"It's something We should feel ashamed about. We DON'T feel ashamed, though." Big big difference.

NSA = More invasive Stasi

This is an organisation with not a shred of credibility. Their interference of the United States in the affairs of my own country is malignant. I have nothing but contempt for the US regime, and all of the totalitarian apparatus of state that surrounds it. Poor Americans, living in such a dreadful, and totally authoritarian regime.

And then...

[wonkey_monkey]

NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

He then steepled his fingers and muttered "mwuhaha" under his breath.

Isn't "regrettable" how Bond villains usually refer to their gruesome murders of formerly trusted employees?

Didnt they themselves choose the seed table?

[DJRikki]

Little more than just suspecting if so

Sorry we got caught

With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor.

Yep, sorry they got caught.

So what is he doing about it?

He wishes the NSA had not done something dumb that they did.
That's nice, but what process is he setting up inside the agency to prevent this from happening again?

The correct answer is to get off the 'we need to see everything' addiction and support the ability of folks to have privacy.
The likely answer is the junkie's answer of just getting better at not getting caught.

There is an old story about folks who live in glass houses.
Any new NSA internal process should be about making stronger glass.
The NSA's desire to make weaker glass for the bad guys ignores that it also makes our glass weaker.
This makes sense if only the NSA can throw rocks.
But anybody can throw rocks.

Unfortunately, it seems our security and information economy depend more and more on this stuff working.

Mathew Green's take

[bulled]

He does a good job of calling out pretty much everything expressed here. As well as highlighting some of the half-truthes and/or complete lies in the letter.

Obligatory Dilbert

[elgatozorbas]

What was wrong with their random generator...

DROPPED PANTS

[obscuro]

Yeah, it's regrettable that in pursuit of spying on your own citizens and other departments of your own govrrnment, you dropped all of our collective pants to a long list of potential attackers. On second thought, maybe I'm overstating things. How many people who want to damage American interests can afford a room full of GPUs and some math Phds? It's all good. Let's just move along.